[Openid-specs-ab] Preveinting Artifact Capture Attack for RPF case

Nat Sakimura sakimura at gmail.com
Sat May 8 03:47:29 UTC 2010

The attack that I care about here is as follows:

1. An attacker creates an authentication request URL.
2. Then attacker sends it to the victim.
3. The victim clicks the link and authenticates himself to the OP.
4. The attacker somehow stops the victim getting redirected to the RP.
5. The attacker uses the artifact to access the RP.
6. The RP obtains the assertion based on the artifact so that the attacker
successfully impersonates the victim.

It seems for this attack to succeeds, the attacker needs to have the control
of the victim's browser.
(because all the sessions are over TLS/SSL, this is the only point that an
attacker can obtain the artifact.)

Do we need to care for it? I doubt it since if the attacker has the control
over victim's browser, he can practically do anything.

I came to think about it when I was writing a security consideration against
assertion substitution attack.
Your inputs are most welcome.

Nat Sakimura (=nat)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100508/b0bcac56/attachment.htm>

More information about the Openid-specs-ab mailing list